JWT + Bearer Tokens

[tecnobrat]

Hello!

We currently use kong to validate JWT bearer tokens and also JWTs that are stored in cookies.

Does your plugin support either of these?

What would happen in teh case that it got a JWT in a bearer token that needed refreshing? Can we specify the cookie name that has a JWT in it?

We're basically looking for a way to validate JWTs, but by using the OIDC spec with kid values from the JWKS file.

Regards

[Trojan295]

Hello @tecnobrat ,

Hmm... I think I don't understand the case you want to cover. Do you want to validate any JWT tokens (not only tokens used in OIDC)? This plugin currently supports only the OIDC Authorization Code grant and in this case the user-agent doesn't have access the tokens. Sure, they are passed in the request header, but it's encrypted and managed by Kong. Kong is responsible for getting tokens, validating them and refreshing.

The case you would like to cover is, that the user-agent gets the JWT tokens somehow from the OIDC Provider, adds them to the HTTP requests going through Kong and Kong validates them to pass the request to the upstream server?

[tecnobrat]

So what is passed to the client? Does kong create its own session and return that to the client?

[Trojan295]

In fact yes. Kong stores the access tokens in an encrypted cookies. Underneath lua-resty-session is used to store them and it allows also storing session data in the server side (for ex. in Redis).

But it is possible to pass also a Bearer token in the Authorization header (I think that's the case you are interested). In this case you need to have the introspection_endpoint config field set to the OAuth2 Token Introspection Endpoint URL of the OIDC Provider you use. In this case the plugin will introspect the token in the Authorization header every time. Currently it's not possible to provide a public key to perform an offline validation of the JWT token. But IMO, it looks like an interesting feature.

[Trojan295]

Closing this, as it looks like a duplicate for #26